Posted
by
CmdrTacoon Tuesday October 05, 2010 @12:58PM
from the heroes-and-villians dept.

JWSmythe writes "Free Internet Press has an interview with 'Random Digilante,' an anonymous hacker who has been taking over forum spammers' email accounts, and notifying forum operators to delete those accounts. It looks like his reasoning is sound, and his methods are safe, where he won't hurt any real users."

That's exactly what a spammer would say. Spam costs real people real money. Email is already a fairly heavily I/O bound process, especially at volume. I've seen spam floods kick a server from a load of 2 to a load of 15, and banning the sending IPs dropped the load immediately, but only once we figured out it was email that was causing the issue. After that incident, that became the first thing I'd check, if it weren't completely obvious that it was a problem account on the server (I was an admin at a w

That was at my last job. I left for other reasons. But if it's a cross between infrastructure building/projects/expansion, or slogging against punk-ass mailers, I'll choose the digging through Perl to the playing whack-a-mole against the spammers.

There were a lot of projects and other tasks that got delayed or just died because we were too busy doing crap like that.

You really believe that the reason that slashdot wouldn't have spam if people were able to post spam on slashdot and have it reach more than a few eyeballs?

Anyway, slashdots system isn't perfect, and is designed to do more than kill spam. Regardless I think it works fairly well for what it does.

For eliminating spam in forums and comments, all you need to do is this:

Give the readers the ability to mark comments as spam with one click, and, as long as the reader has a decent history of not abusing the priviledge, the message will disappear immediately.

This isn't that hard, but to do it well isn't trivial either. Probably best done by a company like Disqus where it is their business.

There would need to be some checks and balances, where a person can get reported for erroneously marking something as spam. The system needs to be scalable, so that the admin of the forum doesn't have to deal with much, as all the work is done by users, and there is a checks and balances system to determine how much to trust users.

The nice thing is that over time it reduces the incentive to bother spamming the forums, since (typically) the first person who sees a message, eliminates it. Also, on a system like disqus, where you have a global identity with some history, it could be smarter about how prominent to make posts if the person has no history of posting without being marked as spam.

Your comment is well-thought-out here, but I have to say your recommended approach is flawed when dealing with a vast quantity of comment spam. It certainly will work on high-traffic sites like slashdot. The problem is with lower-traffic sites with a lot of scattered content. In high-traffic forums, your approach will generally work.

Sites with articles and photo albums, will need to additionally disable comments on older content because it won't be seen by visitors, but the indexing bots will pick up the t

As I said, its not a completely trivial problem. (BTW, sorry for the first sentence in my post which was garbled. I meant to say something like: "You really believe that slashdot wouldn't have spam, if people were able to freely post spam on slashdot and have it reach more than a few eyeballs?")

First off, I think signatures that can be changed later are seriously problematic. (I hate sigs, personally) If people find that feature so important, it would have to be handled separately. (e.g. users with

Ethanol-fueled (1125189) is not a bot, does not seem to have a history of spamming, and thus is pretty much irrelevant to the discussion. If eldavojohn were to actually do this, Ethan Pearsall from Santa Rosa California would be able to accuse eldavojohn of hacking, which might be illegal where eldavojohn lives. It would be taken as seriously as the locale takes unauthroized computer access.

Not really and Slashdot really highlights it because far too often people who disagree with the poster will mod that post down for no other reason other than that. The reason why/. doesn't have much spam is because there is no market, how many people on Slashdot would want to buy P3n15 3nh@nc3rz?

I ran a forum for a couple years that was used by a group of about a dozen people. It was targeted repeatedly by forum spammers.

The scale of the operation seems to have little bearing on whether they'll target something or not. It's much more likely that the key issue is whether they can easily use automated spamming software. They probably don't bother with unique commenting systems, just those that have a large number of installations.

Actually, Slashdot has done some work to reduce/prevent it. If I remember Slashcode right from years ago, there were significant safeguards. There was a period of a couple weeks where some determined spammers were hitting here, but even then they were only getting 3 or 4 spammy posts in per 100 real ones. I suspect there may have been some upset users who may have taken matters into their own hands on them, or at least it was suggested in the threads at the time.:)

Let me know if you find a good karma system. I have been on/. for years, have never posted anything remotely spammy, have attempted to participate in discussions... so why is my karma set at "bad"? I have no idea what, if anything, I can do about that and because of it my comments never appear in any discussion threads. It is likely nobody will ever see this unless, as you say, they dig through the low rated posts.
Not that I'm bitter.

That's fine that you do, but I don't consider it a big problem that those who want to read at that level are exposed to crap. As far as I'm concerned, the spam problem on slashdot is solved. I think slashdot's system could be a lot better (for instance, I think that those with good karma should ALWAYS be able to mark something as spam...not only when they have mod privileges), but at least there is little incentive to spam slashdot. I seriously doubt anyone who tries it is rewarded with any revenue from

I have been on/. for years, have never posted anything remotely spammy, have attempted to participate in discussions... so why is my karma set at "bad"?

Well, it seems that you've only submitted 5 comments in the last couple of years, so you're not exactly participating in a lot of conversations. Thus, you're not really "improving" (term used loosely) any of the comment threads, and therefore not receiving any good karma.

Not trying to be snarky here, I'm genuinely surprised you didn't realize this.

I agree that what you describe is the worst thing about Slashdots system, it took my a year to get good karma (although I don't think mine was ever bad). I would like to see someone design a system that works better in that regard, and others.

And, then you get flame wars, cliques, and karma bombing. Nothing like watching a small group of people with multiple accounts spend a few weeks clobbering one's karma by modding down old posts. It has happened to me and can happen to anyone, including you. All it takes is offending the wrong fanboys.

So, what you are saying is that Slashdot has a bad karma system.
Nothing that inflammatory, just completely opposite of those that karma bombed me, backed up by evidence. They couldn't take being proven wrong.

Ok, great solution. But how many forums are run by people who picked a package and got a friend to install it? And of them, how many never upgrade the software, regardless of how many spambots abuse them, or warnings on the publishers site say "you must upgrade because of this huge security flaw"?

I remember one that was a pretty good little site. He stopped maintaining it, because the forum wasn't just exploited, but they locked him out of the admin interface. He didn't tak

There are lots of smart ways to handle it that don't require extreme measures like charging to post, or having vigilantes out there hacking accounts. It amazes me this problem hasn't been addressed well yet.

Free Republic takes it to a higher level and eliminates any dissenting voices by deleting their posts, banning their accounts from posting, and logging their IP address so that future accounts created at that IP are automatically banned.

Forum spam is a different story, of course. But the thinking behind it is the same. These are posts that are not welcome on this site, therefore we must eliminate them.

By that logic, locking up murderers is also groupthink. I would beg to differ - groupthink is a decidedly different beast than a group of people all crying out against the same problem: in the latter case, the majority of the group has come to the conclusion that behaviour x is unwanted on their own, based on their personal experiences; and not because a lot of their peers also have that opinion.

Of all the sites I've visited, Slashdot (and perhaps Kuro5hin) has the best system.

The system used by Kuro5hin (scoop) is used by many other sites including political popular sites like DailyKos and RedState.

Personally, I think Slashdot is better, but it's more developed and nuanced... the moderation qualification (ie, Funny, Insightful, Troll, etc) is what makes a huge difference in avoiding the puritans downmodding sarcasm and/or unpopular but useful posts.

Actually, the media underhypes it if anything. Sure as far back as Vietnam, and probably earlier there were gays serving more or less openly. The problem though is that as soon as one of them starts doing something which arouses too much attention or makes somebody jealous or gets a promotion that somebody else wanted.

There's a reason why there's a difference between de juris and de facto in these cases. Hell, even if you manage to make it 18 years, there's cases where people get outed and booted anyways

As someone who deals with forum spam on a daily basis, I'm rather surprised at how intelligent the spambots are becoming.

Of course there's always the blatant, obvious spam (99% of which are video encoding tools for iPad, iPhone, etc). But I've recognized two other types of very covert spambots.

First one will take fragments of sentences from previous posts in the topic and regurgitate them. At first glance it seems on topic, but closer inspection reveals the post doesn't make sense and is just portions of others' posts.

The second type uses a database of sentences harvested from other websites, and attempts to post a sentence that matches keywords in that topic. Usually I can spot those because they aren't exactly on topic to the thread. I've also seen these modify various throw-away words, like adjectives and articles, so the sentence isn't an exact copy of the original source.

Now the key thing with both of these kinds of spambots is that they do not include any links initially. A couple weeks after posting they come back and change their signature, which results in spam links appearing under all of their previous posts.

I've also noticed that the vast majority of spambots use yahoo.com email addresses, so yahoo's captcha must be weaker than gmail / hotmail.

Now on the topic of this story, I don't quite understand. The forums I moderate have a few spambot accounts created daily (using recaptcha and custom implemented captcha). So it's not like there's just a couple spambot accounts causing all the trouble. Over the course of a month it around a hundred different accounts. So I don't see how this hacker is helping anything going after accounts one at a time manually.

Here's a specific example of what I'm talking about. Here is a post made to my forums in July 2010:

You can choose ‘Micro-ATX’ size motherboard for your HP. That limits the possible range of motherboards deals you will find. My advise is to buy a case that fits full ‘ATX’ form factor motherboards and go from there, many choices. It is depending on money and what you want if your building a good rig for gaming multimedia etc and don't buy a case with power supply. Please choose a separate power supply.

Now here is a post from another website made in 2009:

Your HP case (the cheapest part of the pc!) takes a ‘Micro-ATX’ size motherboard.

That limits the possible range of motherboards\deals you will find. (look for a motherboard\processor package)

Now you are already buying ‘a whole new computer’ except the case, why stop there? (unless you want the small form factor)

My advise (thats why your here!) is to buy a case that fits full ‘ATX’ form factor motherboards and go from there, much more choice.

Depending on money and what you want if your building a good rig for gaming\multimedia etc DON’T buy a case with power supply, they are usually sh*t (cheap\unreliable). Choose a case, choose a separate power supply (after research!)

First one will take fragments of sentences from previous posts in the topic and regurgitate them. At first glance it seems on topic, but closer inspection reveals the post doesn't make sense and is just portions of others' posts.... A couple weeks after posting they come back and change their signature, which results in spam links appearing under all of their previous posts.

For another example of this exact thing, just look at slashdot user clint999.

Now the key thing with both of these kinds of spambots is that they do not include any links initially. A couple weeks after posting they come back and change their signature, which results in spam links appearing under all of their previous posts.

I'm guessing those are paid spammers from places like India or even the United States. Amazon's Mechanical Turk [mturk.com] are full of shady jobs like this, and I'm sure they're not the only operation around. Pay somebody 10 cents to put a post on a forum, multiply by a thousand times, and you've got a really good search engine optimization for $100.

Only a hundred different accounts in a month? With some of my old forum software, I was getting ~20-40 a day for a while. Basically I just turned off automatic activation and required every "real" person to read the activation message to get fully activated. (Small group of people, tied to a game, so people could contact me inside the game as verification.)

Part of the problem was the captcha was broken in the old version, so I had it turned off. With the most recent update they fixed the captcha, and I've

It would be nice to live in a world where whistleblowers and positive vigilantes were rewarded for their actions. But, in the vast majority of cases, these people end up in more trouble than the scumbags they're exposing and fighting. This guy will probably end up with more legal trouble for fighting spam than the spammers themselves will ever face for their network-clogging, frequently illegal, openly harassing activities.

I received one of his e-mails today. For anyone interested, here is the e-mail he is sending.

Do not auto-approve this forum account, it was created by a forum spammer.

The account which created this forum account did so using automated means. The reason was so that he could post a forum account and then use it to automatically post thousands of fake messages to your forum to promote some form of ridiculous product there.

In all likelihood your website has nothing to do with whatever this idiot is promot

This is probably obvious, since no one is talking about it, but how is he taking over the email addresses? Surely the bots aren't registrering on his honeypot forums with the same password as is used for the e-mail they use to register.

Surely the bots aren't registrering on his honeypot forums with the same password as is used for the e-mail they use to register.

That's exactly what they are doing.

From what I gather, he's written a program to automatically feed suspicious looking e-mail addresses into and check the the registration password/e-mail combo to see if they are using the same for both the e-mail address and the forum software. If there it is a successful combination, it flags and suspends the account.

Dunno if that is 100% correct, but that's what I've gathered (I have not RTFA either)

RD: If I were taking over an account that was created by a human being who actually cared to contribute to my forums, yes that would be illegal.

FIP: Are you concerned about the possible legal consequences of your actions?

RD: Here is the reasoning I use, and I know that a lot of people argue it.Especially now that I have a few dedicated forums whose only reason for existing is that they capture the login credentials of forum spammers, my feeling is that they're not people, they're robots. Xrumer [a forum spamming software] is a 100% automated process. The human has to set up the email address where the responses get sent for things like confirming your account by clicking on a link, but everything after that is done by the software. No human being is harmed by what I do, only a piece of software. If they cared, they would pay attention to the fact that these accounts are getting taken over very regularly by me. They don't. They just set up new accounts and start over.

It's hard to feel "bad" about taking these accounts over. All I can tell you is that I have never taken over any account that was not very obviously being solely used repeatedly to auto-register to forums. In fact by the time I get to them it's obvious that the spammer only set them up from 1 - 6 days prior to me taking it over. There are no human-written messages in any of these accounts. I certainly would not have gone so public with this activity if there had been. Only purely automated messaging has ever been present in any of these, and I have enough hard data to back that up.

Basically he claims that since a robot registered the e-mail accounts, you aren’t infringing on any person’s rights.

Clearly - the best way for him to get around this legal debacle, is to take the breaking into and shutting down process and make it into a simple shell script.

With Robots fighting robots, he's not actually breaking into the accounts, they aren't actually registering, and its all fair game. And then when people claim that they were in fact the ones registering the accounts, they can stand before the court with 2000+ charges against the CAN-SPAM act.

Somewhat make me remember irc bots (or more recently, google wave bots), where some where spammers, some don't. Putting them all into the same bag darkens a bit that gray area. Somewhat a rightful use of automated tools became quicksand because spammers can use it too.

Never heard of change Xrumer, interesting. Vbulletin has a lot of plugins and user setting that capture or deny 99% of the spam. Its to the point that on a good Vbulletin setup, the only place a new user can add an external URL is in their profile, which would be a nofollow link anyway. I still haven't figured a way to deny a new user with less than 5 posts a link to their homepage though

Chances are the human operator doesn’t even know what happened to the account, the robot just flags it as deactivated and asks the human to feed it more accounts. They probably don’t have any way of telling that somebody hacked the account and closed it vs. e-mailing the e-mail provider and having it shut down properly.

Of course the main question (in my mind, at least) is why spammers are registering forum accounts with the same password they used to register the junk e-mail account that they’re registering under...

There is an easy fix for this. In his forum's usage agreement he needs to add a line stating that if he detects you are running a spambot he has the right to hack your account & disable it. Problem solved.

But he is doing this on other people's sites. Including mine, coincidentally. I already have spam filtering methods in place. Spambots can register but they can't do much of anything. I "trap" them quite effectively.

I'm rather annoyed that he is breaking into spambot accounts on my site and sending me messages to deactivate their accounts. I don't need to deactivate their accounts--they are well-contained already. His "helpful" messages wind up being a greater irritant to me than the spambots themselves. I don't need you to tell me how to run my site, thanks.

I don't see how it's my responsibility to prevent spam on anyone's site but my own.

I thought Slashdotters were big on personal responsibility. Make sure your site is secure and doesn't let spambots run roughshod over everything. People who let spambots take over their sites and crap up the place aren't going to have much traffic. It's a self-correcting problem unless you're just not paying attention at all to your site.

If he wants to help people, that's fine, but going out and giving people unsolicited "hel

Doesn't sound like he's breaking into the accounts on other people's sites. He's just setting a vacation message ("Out of Office" for those stuck with Outlook) on the e-mail accounts that are used for spamming. The message only gets sent in response to e-mails that the account receives (according to his website).

It sounds like I misunderstood what he was doing. However, Google might be interested to know that he apparently has control over some (many?) spambot Gmail accounts, since that's where the messages I've got are coming from.

I do hope his messages are helpful to others but they sure aren't of much use to me.

I dislike people who have their POP clients set to download email every minute and process it using filters to put any email from me into a special folder. Does that give me the right to then hack their email accounts and take them over? Using the logic RD outlined above, it very much does. Which should show just how spurious his logic is.

The POP using people you describe are taking their email and sorting it how they want to within their own mailbox. You may not like it, but it's their space.
The forum spammers you're comparing them to use their e-mail address and software with the sole purpose of invading his website, which he pays real money for, and spends time maintaining, and which other people use to have conversations. The spammers further use this software to stuff his website with ads for pills, child porn, and other nastiness. Th

"There's a reason why your mother taught you that two wrongs don't make a right."

Unfortunately, your Mother's clever saying presumes that the second act is a wrong. Since this discussion is about if it is in fact wrong or not, your presumption is unfounded. Bear in mind that doing something illegal is not necessarily wrong. In fact, my good friend Henry David Thoreau wrote an excellent essay [eserver.org] arguing that, in many cases, violating the law is in fact the only "Right" thing you can do.

"He's claiming that since a robot is operating the account, and he disagrees with the motivation behind the running of that robot, it's OK for him to hack into someone else's account"

It should be " it's OK for him to hack into *something* else's account" - it's not specific, and it's not setup by a human being, just some script running, so there can be no ownershipinvolved. Or would you claim that, would my dog succeed in opening a bank account, that I would be the legally responsible entity for that accoun

If you do what you want based on what you feel is right, we might just not have any laws at all. There is a reason why the laws are created by the society as whole and not a single person or a group with single interest.

So, just as an analogy, if the police decided to stop enforcing laws against auto theft, you believe it would be wrong for others to do so. I don't think that holds water. What this guys is doing is indeed illegal, but not immoral; when our government is unwilling or unable to enforce or prosecute laws it becomes incumbent upon non-sanctioned individuals to protect society by doing so. The simple fact is that the government is not able to even begin to scratch the sheer volume of spam, nor is it interested in going after spammers unless it can wrench a large settlement and some headlines out of the deal. If we wish to preserve the Internet as a medium for the exchange of ideas, some of us must take action to protect it from those who exploit it at a very real, monetary cost to innocent people.

And that action should go through the boxes in the correct order without skipping any. Jumping right to the 'ammo' box isn't the right way to do things in a lawful society.

Soap, ballot, jury, ammo: Ballot and jury fail unless the parties have substantial assets in the same jurisdiction. So I don't see anything wrong with skipping to ammo against judgment-proof [wikipedia.org] spammers.

What this guys is doing is indeed illegal, but not immoral; when our government is unwilling or unable to enforce or prosecute laws it becomes incumbent upon non-sanctioned individuals to protect society by doing so.

Bruce, we've been over the five stages of grief a million times: I keep telling you, you're stuck at Anger and you need to move on.

If you do what you want based on what you feel is right, we might just not have any laws at all. There is a reason why the laws are created by the society as whole and not a single person or a group with single interest.

So, just as an analogy, if the police decided to stop enforcing laws against auto theft, you believe it would be wrong for others to do so. I don't think that holds water. What this guys is doing is indeed illegal, but not immoral; when our government is unwilling or unable to enforce or prosecute laws it becomes incumbent upon non-sanctioned individuals to protect society by doing so. The simple fact is that the government is not able to even begin to scratch the sheer volume of spam, nor is it interested in going after spammers unless it can wrench a large settlement and some headlines out of the deal. If we wish to preserve the Internet as a medium for the exchange of ideas, some of us must take action to protect it from those who exploit it at a very real, monetary cost to innocent people.

The analogy is incorrect; it should say "if the government decided to redact laws against auto theft". A point covered by the parent is that the police deciding to do or not do something is not close to "society as a whole". Many argue the government isn't either, but there's at least a pretence and theoretical association. This goes a long way to explaining why there is a slight air of plausibility that the police may one day cease bothering to enforce auto theft, yet the idea that the government may legal

I think you're right, but is it more illegal than spamming? I believe the kind of spam sent by these people/bots is illegal in the United States and several other countries (though I'm not american, so I may be wrong). The sender is hiding his identity, deliberately getting around spam prevention systems and offering no method for opting out. So we're dealing with criminals here, and what is law enforcement doing about it? Random Digilante writes in his blog that he contacts ISPs, who would normally be expected to investigate these people (who inclusively break the ISPs own terms of service), but they usually do nothing. So while the taking over of e-mail addresses registered by criminals for the sole purpose of breaking laws and annoying the hell out of everyone may not be exactly nice, shouldn't you save your indignation for the actual spammers, their customers, ISPs, law enforcement agencies and lawmakers? Or for people who are out in the streets embezzling, scamming, mugging, kidnapping, raping and murdering?

No matter your reason, it's illegal to access other peoples email accounts without their permission. Even more so when you disable the accounts.

Not if you're the email provider. I had a gmail account that I used for mundane things like emailing friends and family (real meatspace friends, not facebook friends). They informed me that the account was being taken down for violating TOS. No indication of which Ts of the OS were violated; like I said, I used it for normal, mundane emailing and there is no way I v

As a juror, I would have a hard time voting to convict a person for such an offense. There is very little you can do legally against spammers, so just as the legal system turns a blind eye to their actions, there's nothing wrong with doing the same to vigilantes going after them.

No, but I could set it up so they are randomly getting 3 questions out of a list of N or so. I could also follow that up by auto-banning any IP & username that answers incorrectly more than N amount of times.

I guess if a human was directly targeting my website they could get thru, once, but that's a human doing the work & not a bot.

Then you should send this dipshit an e-mail back saying 'Your efforts are futile and absurd, plus you're just costing me more traffic by adding to the garbage already being sent out by the spambots. Cease and desist you incompetent fuckwit.'